Samsung Galaxy S5 fingerprint scanner susceptible to spoofing hack

The fingerprint scanner security feature of the newly launched Samsung Galaxy S5 smartphone can be bypassed with a spoofing hack. The hack was demonstrated by researchers from Germany-based Security Research Labs.

This exploit comes in the wake of a similar one developed by a team of white hackers for the fingerprint sensor of the iPhone 5s. Ars Technica has observed such hacks exposed the inherent risk of using biometric security features that promise convenience without the hassle of having to recall passwords or keystrokes.

RELATED STORIES

• Samsung bets on fingerprint tech for Galaxy S5
• Review: Samsung Galaxy S5
• Teardown reveals Samsung S5 costs about $320 to build
• 5 security tips to keep your gadgets safe

In an email to Ars Technica, the Germany researchers said that they wished the fingerprint sensor of the Galaxy S5 had provided more challenge. Instead, they chided the engineers for not implementing stricter anti-spoofing measures; in addition, a password challenge feature should have been added, after a number of unsuccessful swipes attempt.

The most pressing concern arising from the Galaxy S5 fingerprint spoofing hack is the ability of the hacker to take over the Paypal account, authenticated with the compromised fingerprint.

According to Security Research Labs, their spoofed fingerprint was "crafted by taking a camera-phone photo of an unprocessed latent print smudge left on a smartphone screen." The exploit was carried out using a "wood glue spoof" made from an etched PCB mould. In fact, the exploit was built on the researchers' prior works done while researching the Apple Touch ID feature.

Hardware Zone had previously reported on the Chaos Computer Club's success in hacking the Apple Touch ID feature in September last year:

The biometrics hacking team at Chaos Computer Club has successfully bypassed the biometric security of Apple's iPhone 5S' fingerprint scanner using a high-res photo of a fingerprint of the phone user taken from a glass surface and a latex mix.

CCC used the following method:

"First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market."

Apple had previously stated that the biometric sensor would be harder to hack into than previous sensors, due to "the sensor scanning just beneath external skin layers to see the living layer of skin directly under the surface". However, CCC hacker Starbug states, "in reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake." 

Visit Hardware Zone for more stories.